Security bulletin 1

Summary

EL expressions in JSP using some Tiles JSP tags are evaluated twice.

Who should read this All Tiles 2.1 developers
Impact of vulnerability Remote server context exposure
Maximum security rating High (read-only exposure)
Recommendation Developers should not install Tiles 2.1.1 under a production environment,
upgrade to Tiles 2.1.2
Affected Software Tiles 2.1.0/2.1.1 (Tiles 2.0.x versions are safe)
Original JIRA Ticket TILES-351
Reporter Antonio Petrelli (Tiles PMC member)

Problem

Tiles 2.1.x allows, with the correct configuration, to use EL expressions in Tiles configuration files.

The problem is that, if attribute values or templates are defined using some JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression is evaluated twice, one by the container, one by the ELAttributeEvaluator class.

Now, if at the first evaluation the EL expression is connected to a user-entered content, it could be maliciously exploited to access the server context.

Therefore, there could be an unwanted exposure of server data or XSS attacks.

Solution

The API and the core have been modified to separate the expression evaluation from the attribute/template manipulation made by JSP tags in a safe way.

Since Tiles 2.1.1 is still in beta, the recommendation is not to install it in a production environment. A release, in this case, is not necessary. Experimenter can download the latest version of Tiles from the SVN repository.